Assign permissions to migrate mailboxes to Exchange Online

 

Applies to: Exchange Online

Important

This content will be retired soon, please update all your bookmarks to new content on https://support.office.com/, specifically: Assign Exchange permissions to migrate mailboxes to Office 365.

When you migrate on-premises Exchange mailboxes to Exchange Online, the on-premises user account that you use to connect to your on-premises Exchange organization during the migration (called the migration administrator) must have the necessary permissions to access and, in some cases, modify the on-premises mailboxes that you want to migrate. This user account is used to create a migration endpoint to your on-premises organization. To successfully create a migration endpoint (or create a migration batch if no migration endpoints exist in your Exchange Online organization), the migration administrator must have the necessary administrative privileges in your on-premises Exchange organization. The following list shows the administrative privileges required for the migration administrator account to migrate mailboxes to Exchange Online using the different types of migration:

  • Staged Exchange migration

    For a staged migration, the migration administrator account must be:

    • A member of the Domain Admins group in Active Directory in the on-premises organization.

      Or

    • Assigned the FullAccess permission for each on-premises mailbox AND the WriteProperty permission to modify the TargetAddress property on the on-premises user account.

      Or

    • Assigned the Receive As permission on the on-premises mailbox database that stores the user mailboxes AND the WriteProperty permission to modify the TargetAddress property on the on-premises user account.

  • Cutover Exchange migration

    For a cutover migration, the migration administrator account must be:

    • A member of the Domain Admins group in Active Directory in the on-premises organization.

      Or

    • Assigned the FullAccess permission for each on-premises mailbox.

      Or

    • Assigned the Receive As permission on the on-premises mailbox database that stores the user mailboxes.

  • IMAP migration

    For an IMAP migration, the CSV file for the migration batch must contain:

    • The user name and password for each mailbox that you want to migrate.

      Or

    • The user name and password for an account in your IMAP messaging system that has the necessary administrative privileges to access all user mailboxes. To learn whether your IMAP server supports this approach and how to enable it, see the documentation for your IMAP server.

  • Remote move migration in Exchange hybrid deployments

    For remote move migrations, the migration administrator account must be:

    • A member of the Domain Admins group in Active Directory in the on-premises organization.

      Or

    • A member of the Exchange Recipients Administrators group in Active Directory in the on-premises organization.

      Or

    • A member of the Organization Management or Recipient Management group in Exchange 2010 and Exchange 2013.

You can use the Exchange Management Shell in your on-premises organization to quickly assign the necessary permissions to migrate mailboxes to Exchange Online.

Note

Because Exchange Server 2003 doesn't support the Exchange Management Shell, you have to use Active Directory Users and Computers to assign the Full Access permission and Exchange Server Manager to assign the Receive As permission. For more information, see:

For information about migrating mailboxes to Exchange Online using different migration types, see the following:

What do you need to know before you begin?

  • Estimated time to complete each procedure: 2 minutes.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Permissions and delegation" entry in the "Recipient Provisioning Permissions" section in the Recipients Permissions topic.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server, Exchange Online, or Exchange Online Protection..

What do you want to do?

Use the Exchange Management Shell to assign the Full Access permission

The following examples show different ways to use the Add-MailboxPermission cmdlet to assign the Full Access permission to the migration administrator account for mailboxes in your on-premises organization.

This example assigns the migration administrator account (for example, migadmin) the Full Access permission to the mailbox of Terry Adams.

Add-MailboxPermission -Identity "Terry Adams" -User migadmin -AccessRights FullAccess -InheritanceType all

This example assigns the migration administrator account the Full Access permission for all members of the distribution group MigrationBatch1.

Get-DistributionGroupMember MigrationBatch1 | Add-MailboxPermission -User migadmin -AccessRights FullAccess -InheritanceType all

This example assigns the migration administrator account the Full Access permission for all mailboxes that have the value of MigBatch2 for CustomAttribute10.

Get-Mailbox -ResultSize unlimited -Filter {(CustomAttribute10 -eq 'MigBatch2')} | Add-MailboxPermission -User migadmin -AccessRights FullAccess -InheritanceType all

This example assigns the migration administrator account the Full Access permission to all user mailboxes in the on-premises organization.

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User migadmin -AccessRights FullAccess -InheritanceType all

For detailed syntax and parameter information, see the following topics:

How do you know this worked?

To verify that you've successfully assigned the Full Access permission to the migration administrator account using the command in each of the previous examples, run one of the following commands.

    Get-MailboxPermission -Identity <mailbox> -User migadmin
    Get-DistributionGroupMember MigrationBatch1 | Get-MailboxPermission -User migadmin
    Get-Mailbox -ResultSize unlimited -Filter {(CustomAttribute10 -eq 'MigBatch2')} | Get-MailboxPermission -User migadmin
    Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Get-MailboxPermission -User migadmin

Use the Exchange Management Shell to assign the Receive As permission

The following example shows how to use the Add-ADPermission cmdlet to assign the Receive As permission to the migration administrator account for the mailbox database named "Mailbox Database 1900992314".

Add-ADPermission -Identity "Mailbox Database 1900992314" -User migadmin -ExtendedRights receive-as

For detailed syntax and parameter information, see Add-ADPermission.

How do you know this worked?

To verify that you've successfully assigned the Receive As permission to the migration administrator account for a mailbox database, as shown in the previous example, run the following command.

Get-ADPermission -Identity "Mailbox Database 1900992314" -User migadmin

Use the Exchange Management Shell to assign the WriteProperty permission

The following examples show different ways to use the Add-ADPermission cmdlet to assign the migration administrator account the WriteProperty permission to modify the TargetAddress property on on-premises user accounts. This capability is required to perform a staged Exchange migration if the migration administrator isn't a member of the Domain Admins security group.

This example assigns the migration administrator account (for example, migadmin) the WriteProperty permission to modify the TargetAddress property for the user account of Rainer Witte.

Add-ADPermission -Identity "Rainer Witte" -User migadmin -AccessRights WriteProperty -Properties TargetAddress

This example assigns the migration administrator account the WriteProperty permission to modify the TargetAddress property for all members of the distribution group StagedBatch1.

Get-DistributionGroupMember StagedBatch1 | Add-ADPermission User migadmin -AccessRights WriteProperty -Properties TargetAddress 

This example assigns the migration administrator account the WriteProperty permission to modify the TargetAddress property for all user accounts that have the value of StagedMigration for CustomAttribute15.

Get-User -ResultSize unlimited -Filter {(CustomAttribute15 -eq 'StagedMigration')} | Add-ADPermission -User migadmin -AccessRights WriteProperty -Properties TargetAddress

This example assigns the migration administrator account the WriteProperty permission to modify the TargetAddress property for user mailboxes in the on-premises organization.

Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-ADPermission -User migadmin -AccessRights WriteProperty -Properties TargetAddress

For detailed syntax and parameter information, see the following topics:

How do you know this worked?

To verify that you've successfully assigned the WriteProperty permission to the migration administrator account to modify the TargetAddress property using the command in each of the previous examples, run one of the following commands.

    Get-ADPermission -Identity <mailbox> -User migadmin
    Get-DistributionGroupMember MigrationBatch1 | Get-ADPermission -User migadmin
    Get-Mailbox -ResultSize unlimited -Filter {(CustomAttribute15 -eq 'StagedMigration')} | Get-MailboxPermission -User migadmin
    Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Get-ADPermission -User migadmin